FastNetMon 使用笔记
FastNetMon是一个高性能的DoS/DDoS检测工具:
支持多种抓包引擎: netmap, PF_RING, PCAP, AF_PACKET, AF_XDP;;
支持多种流量解析: NetFlow v5, v9, IPFIX, sFLOW v4, v5, Port mirror/SPAN;
支持BGP联动: ExaBGP, GoBGP;
支持黑洞模式 & BGP Flow spec 模式;
支持 Redis, MongoDB, Grafana & InfluxDB 集成;
支持告警联动: 邮件, python, bash script 等;
支持gRPC api;
fastnetmon github
FastNetMon Official site
Download & Install
RPM
CentOS RPM
CentOS-8
wget https://community-downloads.fastnetmon.com/releases/1.1.6/centos/8/fastnetmon-1.1.6-1.el8.x86_64.rpm
rpm -ivh fastnetmon-1.1.6-1.el8.x86_64.rpm
script
wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl
sudo perl fastnetmon_install.pl
Configure
/etc/networks_list
配置监控的主机网段CIDR:
222.X.X.X/24
/etc/fastnetmon.conf
攻击检测阈值
根据实际业务流量进行调整:
# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off
# Limits for Dos/DDoS attacks
threshold_pps = 1000
threshold_mbps = 50
threshold_flows = 3500
# Per protocol attack thresholds
# We don't implement per protocol flow limits, sorry :(
# These limits should be smaller than global pps/mbps limits
threshold_tcp_mbps = 50
threshold_udp_mbps = 50
threshold_icmp_mbps = 10
threshold_tcp_pps = 10000
threshold_udp_pps = 20000
threshold_icmp_pps = 1000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
基础配置
启用 mirror 模式并配置收包引擎: mirror_afpacket 或 pcap.
mirror = on
# mirror_afpacket or pcap
mirror_afpacket = on
pcap = on
配置监控接口, 支持多个接口:
interfaces = eth3
启用连接跟踪:
enable_connection_tracking = on
禁用监控本地接口地址:
monitor_local_ip_addresses = off
配置监控主机数目:
max_ips_in_list = 32
fastnetmon
/opt/fastnetmon/fastnetmon
or
systemctl restart fastnetmon
fastnetmon_client
Reference
Documentation FastNetMon Advanced
FastNetMon Advanced configuration options
Comparing Ring-buffer–based Packet capture solutions